Yesterday i was preparing my old Macbook Pro for selling, and after doing a backup i wanted to do a secure delete of all the hard disk content. So i started to search for a software or a solution (before using a live CD) and i found that the OSX include the option to do a secure delete in the "disk utility", best of all is that the cupertino boys have 3 different kinds of secure delete, with different levels of security, to prevent the file recovery.

Zero Out Data:

This method writes zeros over all of the data on the drive. This provide a decent level of file security,there are forensics utilities that in theory could retrieve some data however they are extremely expensive and time consuming and there are no documented cases of this actually taking place.

7 pass erase:

This method will write data over the disk seven times, and will take 7 times longer than Zero Out Data. This method is compliant with the D0D 5220.22-M specification, meaning that it is virtually impossible to retrieve the information.

35 pass erase:

If you are paranoid or you really need to protect some files, you can use this method that writes the entire disk 35 times... It is said that this method is really impossible to recover. Also this option will take ages to finish.

Well after checking the options, i went with the 7 pass erase method, and for a 150GB partition it took 7 hours to complete, now i had to do the same for the 100GB partition :(

The Metasploit project, has released a tool that demonstrate a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed.

It's an interesting tool, to check if your proxy configuration is really anonymizing your connections, or if you are under a false anonymity.

Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

When you are coding in python and need to use a regular expression, i always end up firing up a python interpreter and trying the regexp on the fly, now i discovered www.pythonregex.com , a web application created over Google App Engine that allows you to try regular expressions without having to code a line, you just need to write the regexp and put the string or text where do you want to apply it.

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

SQL Injection

XSS

Unsecure object using

Local path disclosure

Unsecure directory permissions

Server vulnerabilities like buffer overflow and configure error

Possible sensitive directories and files scan

Backup files scan

Source code disclosure

Command Execute

File Include

Web backdoor

Sensitive information

And so much more......

It also claims that also exploits the vulnerabilities, but i didn't try that option yet.

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used. (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.